Do Software For Fun

I had many difficult to find the crc16 X.25 algorithm: polynomial x16 + x12 + x5 + 1 (reverse order), so I want to share the C source code to anyone had needed to implement that algorithm in own project.

CRC16 (X.25) C source code  CRC16-X25.zip (1.06 KB)

This application shares a webcam source(publisher) with multiple clients(subscribers). It uses duplex HTTP communication, by which the receiver of an initial message will not reply directly to the initial sender, but may transmit any numer of responses over a period till the connection exists. It's a push-style notification: subscribers send subscription messages to publishers , who then send pubblication messages to the subcribers. You can run multiple instance of subscribers over intranet or internet network.

The subscriber software is a WPF application with reflection effect. Note: the Application doesn't work if hosts are located across NAT's.

This is an example of a WPF browser application (aka XBAP) running in a sandbox of your browser with partial trust security permission. Simple and impressive.

Note: WPF mediaelement couldn't work in windows XP.

Last week I was infected by a worm via a USB pen (UFO.EXE).

This is a variant of many similar backdoors/worms, these instructions
can be useful to understand how that attacks work.

These are the steps I made to remove the worm and related malwares
loaded from that backdoor.

1) first of all: disconnect the infected PC from any network
and internet connection. 



The malware loads viruses and updates from internet sites 
during your browsing:

cn911.org, , obutan.com, baidu8.com, 222.122.45.146, 
eu.logon.worldofwarcraft.com, us.logon.worldofwarcraft.com
Try to block these sites with your firewall!



2) clean the USB pen 
delete UFO.EXE (hidden file)
delete autorun.inf (hidden file that load the ufo.exe worm)
this files are created from infected PCs anytime you boot a USB pen 
or removable harddisk
After you need create a fake empty autorun.inf file with READ-ONLY property
to block the loading of ufo.exe from a infected PC 
3) removal actions 
- Run the "process explorer" of Mark Russinovich (www.sysinternals.com)
and kill the svchost process at root level (It is the process that create 
the UFO.EXE/AUTORUN.INF files any time you insert a removable disk)

- with regedit remove just the string ",C:\WINDOWS\system32\secpol.exe" 
from the key 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe, 


need to be (don't remove the userinit.exe!):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe

- delete the secpol.exe file from C:\WINDOWS\system32

- with regedit remove the fsmgmt key from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\Notify 


- delete the fsmgmt.dll file from c:\windows\system32 
Note: the product name shows: "Microsoft? Windows? Operating System" 
- delete any files from the locations:
C:\Documents and Settings\<user>\Impostazioni locali\Temporary Internet Files 
and
C:\Documents and Settings\<user>\Impostazioni locali\Temp 


That's all. I removed also some unknown users *S-1-5-21..... from security policies. 



Credits : I'd like to sincerely thank the folks at Sysinternals 

The TalkTogether screenshots displayed via a Silverlight slide viewer application (a mix of XAML/Javascript/Ajax)

A peer to peer voice/text chat.